Skip to main content
  • On this page

Publication date: 30 April 2021

Executive summary

1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of Chamonix’s handling of personal information through its mobile application (app) ‘Healthi’, conducted in October 2020.

1.2 This assessment was conducted under s 33C(1)(a) of the Privacy Act 1988 (Cth), which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the Australian Privacy Principles (APPs).

1.3 This assessment was also conducted pursuant to the Memorandum of Understanding between the Office of the Australian Information Commissioner and Australian Digital Health Agency (ADHA MoU) which requires the OAIC to conduct assessments during the period covered by that MoU in relation to the My Health Record (MHR) system and the Healthcare Identifier (HI) Service.

1.4 The scope of this assessment considered Chamonix’s handling of personal information in relation to the MHR system through the Healthi app in accordance with APP 1.2 (open and transparent management of personal information) and APP 5 (notification of the collection of personal information).

1.5 This assessment found that Chamonix has taken reasonable steps to document its information handling policies, practices and procedures, as well as notify individuals of the collection of personal information.

1.6 However, the OAIC also identified some privacy risks associated with the handling of personal information through Healthi and made 4 recommendations and several suggestions (which may be found in Parts 3 and 4 the report) to address these privacy risks.

1.7 Specifically, the OAIC recommends that Chamonix:

  • regularly evaluate its internal policies and procedures relevant to the Healthi app in relation to their adequacy and currency
  • regularly review and test its data breach response plan to ensure it is up to date and that Chamonix staff know what actions they are expected to take in the event of a data breach
  • develop and implement a Privacy Management Plan (PMP)
  • implement regular and mandatory privacy refresher training for all staff. Chamonix should also record staff attendance at training to ensure all staff complete the training on a regular basis
  • include an APP 5 collection notice on the Healthi website for instances where personal information is collected via the Healthi webform or via email and verbally provide an APP 5 collection notice to consumers if any information is collected over the phone via the contact number on the Healthi website
  • consider adding to the webform on the Healthi website a warning to customers that they should not disclose any unnecessary personal information or sensitive information when filling out the web form
  • consider measures which limit or remove the ability for users to include unnecessary personal information via the webform
  • review the Healthi APP 5 collection notice to ensure that it covers all APP 5 matters stated in APP 5.2.

Part 2: Introduction;

Background My Health Record, System Operator and Registered Portal Operators

My Health Record

2.1 The MHR system is the Australian Government’s digital health record system, which provides registered healthcare recipients, healthcare professionals and healthcare providers with access to a summary of the registered healthcare recipient’s key health information.

2.2 The MHR system is routinely accessed by a range of different entities (known as ‘participants in the MHR System’)[1], including entities responsible for operating the system and those seeking access or provisioning access to personal information stored in the MHR system for a range of different purposes.

System Operator

2.3 The MHR system operates under the My Health Records Act 2012 (MHR Act), which establishes the role and functions of the MHR system operator, the Australian Digital Health Agency (ADHA), the registration framework for individuals and entities to participate in the MHR system, and the privacy framework surrounding the collection, use and disclosure of MHR information.

Registered Portal Operators

2.4 While many individuals who are registered healthcare recipients interface directly with the MHR system to access their MHR data through the Australian Government’s myGov portal,[2] others may rely on commercial or non-commercial service providers who act as intermediaries to facilitate that access through software products and services.

2.5 A ‘registered portal operator’ (RPO) is a person who is the operator of an electronic interface that facilitates access to the MHR system and is registered to participate in the MHR system.[3]

2.6 RPOs develop authorised mobile applications designed to provide individuals with the ability to view their own record content by providing secure ‘view only’ access through the MHR system’s mobile gateway[4].

2.7 As with other MHR entities, RPOs are subject to stringent legal and technical requirements, including those legislative requirements set out under the MHR Act, the My Health Records Rule 2016 (Cth), and My Health Records Regulation 2012 (Cth).

2.8 The primary non-legislative governance mechanism for imposing those requirements are ‘Registered Portal Operator Agreements’ which contain ‘interoperability requirements’ setting out standards that must be met by the entity and product in relation to operations, security and consent.

Chamonix and Healthi

2.9 Chamonix Pty Ltd (Chamonix) is an RPO for the MHR system and operates the Healthi mobile health application (Healthi app), which is the subject of this privacy assessment.

Chamonix Pty Ltd

2.10 Chamonix is a company based in Adelaide, South Australia, which provides business and information technology consultancy service[5]. At the time that the OAIC undertook fieldwork for this assessment, Chamonix advised the OAIC that it has 85 employees and that it meets the definition of an ‘organisation’ under the Privacy Act[6].

Healthi mobile health application

2.11 The Healthi app is owned and operated by Chamonix and is available for both Android and iOS operating systems.

2.12 Chamonix developed the Healthi app in 2016 when the mobile gateway for the MHR system was first developed. It was the first mobile app connected through the MHR system and therefore was used by the then MHR system operator (Department of Health) to test the mobile gateway.

2.13 Chamonix advised that in 2016 ADHA deemed the Healthi app’s processes for accessing the MHR system complaint with MHR legislative RPO contractual requirements.

2.14 The Healthi app is operated by the HIPS (Health Identifier and PCEHR [7] System) team within Chamonix. Chamonix advised the OAIC that it does not engage any third parties in developing or administering the Healthi app.

2.15 The OAIC understood from documentary evidence and fieldwork that the Healthi app provides ‘read-only’ access to a user’s MHR or the MHR of persons for whom the user is a nominated representative. The Healthi app does not have any other functionality nor does it interact with any other datasets. The Healthi app does not send information to third parties.

2.16 The OAIC observed that when using the Healthi app, users will see pages that are controlled by:

  • the Healthi app (where the individual is informed about the purpose and operation of the Healthi app before giving consent)
  • Services Australia and the MHR system operator (when individuals utilise the myGov authentication process [8], provide consent for the app to access the individual’s MHR and view their MHR).

2.17 In accordance with MHR consent requirements for app developers, the Healthi app notifies users via ‘pop up’ statements along the consent process when they are interacting with the Healthi app or the MHR system.

2.18 The Healthi app extracts data from the MHR system based on what part of the MHR the app user seeks to access. All MHR information is hosted by the system operator and sent directly to the Healthi app user’s mobile device. Chamonix advised that it does not handle any MHR information nor is MHR information transmitted across Chamonix’s IT infrastructure. In relation to the data that is viewed and extracted by the Healthi app, this is stored on the user’s phone, not on Chamonix’s IT systems (see diagram below).

Healthi app fig 1

2.19 Chamonix does collect and handle some personal information (name, phone, email addresses) through the ‘help and feedback’ link within the Healthi app, where users can report issues through a web form (available on the Healthi app website) or via email [9]. Within the Healthi app are links to the Healthi APP privacy policy[10] and security policy [11]both of which are available on the Healthi app website.

2.20 Chamonix advised the OAIC that they do not charge users to download and use the Healthi app and the app is otherwise not monetised. Within the Healthi app there is a designated space for third party advertising which is not used and currently refers users to the Healthi app website. Chamonix advised the ADHA does not currently allow advertising within a mobile app accessing the MHR system.

Part 3: Findings

Our approach

3.1 The key findings of this assessment are set out below under the following headings which are based on the assessment’s scope (discussed in Part 5):

  • APP 1.2 – Implementing practices, procedures and systems to ensure APP compliance and deal with enquiries and complaints
  • APP 5 – Notification of the collection of personal information

3.2 For each issue, we have outlined a summary of the OAIC’s observations, the privacy risks arising from these observations, followed by recommendations or suggestions to address those privacy risks.

3.3 As part of this assessment, the OAIC was guided by:

  • Chapters 1 and 5 of the APP Guidelines[12] in its consideration of the reasonable steps that Chamonix has taken to address the requirements of APP 1.2 and APP 5. The APP Guidelines outline the mandatory requirements of the APPs, the way in which the OAIC will interpret the APPs and matters the OAIC may take into account when exercising functions and powers under the Privacy Act
  • the Privacy Management Framework [13], which details steps that Chamonix is expected to take to meet its ongoing compliance obligations under APP 1.2.

3.4 The APP Guidelines informed the OAIC’s judgment of what is ‘reasonable’ in the circumstances, noting that reasonableness is also informed by contextual facts surrounding a particular act or practice.

APP 1.2 – Implementing practices, procedures and systems

3.5 APP 1.2 requires APP entities to take reasonable steps to implement practices, procedures and systems that will:

  • ensure that the entity complies with the APPs; and
  • enable the entity to deal with privacy related enquiries or complaints from individuals.

3.6 This section examines key practices, procedures and systems of Chamonix and the Healthi app, which ensure Chamonix’s compliance with APP 1.2 and which relate directly or indirectly to the MHR system, including:

  • governance and culture
  • documented policies and procedures
  • risk management and Privacy Impact Assessments (PIAs)
  • training
  • systems for handling inquiries and complaints.

Governance and Culture

3.7 Robust corporate governance and a strong privacy culture are important systems which promote compliance of entities with the APPs by ensuring the effective oversight and accountability of decision-makers who are responsible for reviewing and approving changes to the handling of personal information which may affect the privacy of individuals.

3.8 Given the sensitivity of personal information collected by the Healthi app and the association of the Healthi app with the MHR system, the OAIC expected to see advanced privacy governance frameworks in operation and a strong privacy culture at Chamonix.

3.9 The OAIC observed that Chamonix has governance arrangements in place which apply to privacy issues and the operation of the Healthi app. Chamonix’s risk appetite is set by the company’s board. Chamonix advised it has a low risk appetite and is generally risk averse in relation to the handling of personal information as part of its business operations.

3.10 The roles within Chamonix that are responsible for managing privacy issues and reporting privacy issues to the company’s board are: the Managing Director, the State Manager (who is also the organisation’s privacy officer), the Service Lead (responsible for cyber security) and relevant Product Manager or (if required) relevant subject matter experts e.g. the Healthi app developers. Regular monthly meetings are held by this group to discuss pertinent issues including IT security and privacy.

3.11 The OAIC observed that Chamonix has procedures for escalating major incidents, including privacy incidents and other privacy issues (discussed below). All privacy issues are reported to the State Manager who in turn is responsible for reporting privacy issues to the board. Privacy issues are triaged by the Service Lead who assesses their severity. Major issues are immediately escalated to the State Manager and the Managing Director for their consideration.

3.12 At Chamonix, when handling privacy matters, business units are supported by the Service Lead and the State Manager in the form of advice and resources.

3.13 Chamonix does not have in place a formal PMP which assists with embedding a culture that enables privacy compliance (discussed below).

healthi corp structure fig 2

Chamonix privacy governance and reporting diagram

Documented policies and procedures

3.14 Documented policies and procedures ensure compliance with the APPs by clearly articulating to staff, employees and contractors any information handling requirements that apply to personal information, and the processes that should be followed to comply with those requirements.

3.15 Chamonix provided the OAIC with some documented information handling policies and procedures related to its operation of Healthi that seek to ensure Chamonix’s compliance with the APPs. For example, Chamonix has documented policies with regards to Chamonix’s overall handling of cyber security and privacy, the Healthi app’s information security controls and a policy which sets out how the Healthi app seeks consent from users when users download the app. Chamonix staff demonstrated good overall knowledge of the company’s information management practices.

3.16 The documentation reviewed by the OAIC were in many instances either in draft form, were not dated, several years old and/or had not been reviewed for long periods of time. This raises the medium privacy risk that personal information is not being handled in accordance with Chamonix’s information handling practices.

3.17 The State Manager, in their capacity as the company’s privacy officer, is responsible for maintaining Chamonix’s information handling policies and procedures. Chamonix does not have a regular process for updating it policies and procedures. The OAIC recommends that Chamonix, specifically the State Manager, regularly evaluate Chamonix’s internal policies and procedures relevant to the Healthi app to ensure their adequacy and currency and implement a process for updating these policies and procedures in a manner that is suitable for the organisation and in consideration of its obligations under APP 1.2.

Data breach procedure and response plan

3.18 Chamonix’s main internal policy and procedure document has a section which sets out how the company deals with cyber security, privacy and the handling of personal information. Within this section Chamonix has a documented data breach procedure and response plan for managing privacy incidents such as breaches. Chamonix advised that the same plan is also used for handling privacy inquiries and complaints though this is not stated in the plan. Under the plan, privacy incidents are logged and reported to the company’s board as part of its monthly meeting. Each incident is assessed to determine if it is an eligible data breach for the purposes of the Privacy Act and therefore requires escalation. If the incident is considered to be serious, the incident then is immediately escalated to the State Manager. Chamonix also advised that its data breach response plan was not regularly tested and was last tested in late 2019. This raises the medium risk that Chamonix’s data breach response plan may be ineffective, especially if there have been changes to Chamonix’s information handling practices since the last test.

3.19 Chamonix should regularly review and test its data breach procedure and response plan to make sure it is up to date, and that Chamonix staff know what actions they are expected to take in the event of a data breach. Chamonix could test its plan by, for example, responding to a hypothetical data breach and reviewing how its response could be made more effective and then updating its plan accordingly.

3.20 The OAIC also suggests that Chamonix review the plan to clarify that it also applies to the handling of privacy inquiries and complaints and ensure that the plan is fit for those purposes as they may require alternative procedures.

Healthi privacy policy

3.21 Chamonix has developed a privacy policy which is published on the Healthi app website along with a security policy which sets out how the Healthi app functions and how Chamonix protects personal information. Both policies are required by ADHA for apps connecting with the MHR system. The privacy policy also acts as the APP privacy policy for the Healthi app required under APP 1.3. The scope of the assessment did not include an analysis of the compliance of the Healthi app’s privacy policy with the requirements of APPs 1.4-1.6. However, a brief analysis of the policy did reveal some areas where the APP privacy policy may not satisfy all the requirements of APP 1. For example, the Healthi app privacy policy does not contain any information about how the individual may access and seek correction of their personal information and complain to Chamonix about a breach of the APPs and how the entity will deal with such a complaint [14](this issue is also discussed in the context of APP 5.2 below). The OAIC suggests that Chamonix review the Healthi app privacy policy to ensure it satisfies the requirements of APP 1.

3.22 More information on having a compliant APP Privacy Policy can be found in the OAIC’s Guide to developing an APP privacy policy[15]

Privacy management plan

3.23 As discussed above, Chamonix does not have a PMP and therefore raises the medium risk that Chamonix is not embedding a culture that enables privacy compliance. A PMP identifies specific, measurable privacy goals and targets and sets out how an entity will implement the four steps outlined in the OAIC’s Privacy management framework and meet its goals for managing privacy. The OAIC recommends that Chamonix develop and implement a PMP.

Recommendation 1

Chamonix should:

  • regularly evaluate its internal policies and procedures relevant to the Healthi app to ensure their adequacy and currency and implement a process for updating these policies and procedures in a manner that suitable for the organisation and in consideration of its obligations under APP 1.2
  • regularly review and test its data breach response plan to ensure it is up to date and that Chamonix staff know what actions they are expected to take in the event of a data breach
  • develop and implement a PMP.

Risk management and PIAs

3.24 The accurate assessment and appropriate escalation of privacy risks allows them to be effectively managed and mitigated. Implementing effective risk reporting and management procedures and systems commensurate with the type and scale of personal information collection is essential to ensure compliance with the APPs.

3.25 Within Chamonix, new projects involving personal information undergo a risk assessment process which includes consideration of privacy issues. Chamonix also maintains a risk register for the Healthi app and a general risk register. The OAIC was advised that the outcomes of any risk assessments and all risks (including privacy risks) noted in Chamonix’s Healthi app risk register and the general risk register are reported to the company’s board monthly. However, there is no documented threshold at which new or emerging privacy risks (outside of monthly reporting) ought to be escalated from the business area responsible for the project to senior management, for example if a risk is identified as a result of a data breach.

3.26 Chamonix advised that it has a PIA[16] process that it follows for new projects involving personal information. Chamonix also advised that it conducted a PIA when it first developed the Healthi app in 2016. Chamonix’s does have a documented process for conducting PIAs in the form of a PIA template which is based on OAIC guidance to assist staff to evaluate a new project’s privacy risks.

3.27 Chamonix also employs a checklist approach to cyber security issues in its risk assessment process, though privacy concerns do not directly feature on that list. Following a cyber security risk assessment, a further technical risk assessment is conducted which identifies the type of information being handled by the project (e.g. if it involves personal or sensitive information) and the security requirements around it.

3.28 In the context of the Healthi app, the OAIC was informed that a security risk assessment, vulnerability testing and a PIA were conducted in 2016 which noted that most of the security and privacy risks identified with Healthi reside with the MHR infrastructure and MHR System Operator as the design of the app does not involve the handling of MHR information by Chamonix’s IT systems.

3.29 Based on interviews with Chamonix staff, the OAIC is confident that there are informal processes and discretionary thresholds applied to the escalation of privacy issues between the business area responsible for the Healthi app and the State Manager. However, the documentation of thresholds for escalation would provide additional assurance that the management and reporting of privacy risks relevant to the Healthi app function effectively.

3.30 The OAIC suggests that Chamonix could more thoroughly document new or emerging privacy risks, specifically the processes for escalating privacy risks to senior management, with a view to ensuring that all privacy risks are appropriately managed for new projects and systematic changes to existing systems or practices related to the Healthi app which may have an impact on the privacy of individuals. Due to Chamonix’s low risk appetite for handling personal information, data minimisation approach to administering the Healthi app and its practice for undertaking PIAs for new projects, the OAIC considers this is currently a low risk. However, the privacy risk around this activity will increase if Chamonix decides in the future to change the operation of the Healthi app resulting in increased handling of personal information.

Training

3.31 Training supports APP entity compliance with the APPs by embedding a strong privacy culture within the organisation and operationalising key privacy policy and procedures.

3.32 Chamonix conducts in-person privacy training for all staff, employees and contractors during induction, which focusses on compliance with the APPs.

3.33 More specific training is provided to Chamonix staff based on their roles and responsibilities. Specifically, more detailed induction training is provided to staff who work within the HIPS team responsible for the Healthi app. This detailed induction training covers Chamonix’s mobile app developer guidelines which deals with technical matters such as coding requirements.

3.34 Chamonix does not provide mandatory refresher privacy training for its staff. This raises the medium risk that Chamonix staff, when handling the personal information processed by the Healthi app, may not have a proper understanding of their obligations under the APPs or in the event of a data breach.

3.35 Chamonix should implement regular and mandatory privacy refresher training for all staff. This training should include short-term staff and contractors. Such training should cover obligations for staff under the APPs, MHR legislation and under Chamonix’s data breach response plan. Chamonix should also record staff attendance at training to ensure all staff complete the training on a regular basis.

Recommendation 2

Chamonix should Implement regular and mandatory privacy refresher training for all staff. This training should include short-term staff and contractors. Such training should cover privacy obligations for staff under the APPs, MHR legislation and under Chamonix’s data breach response plan. Chamonix should also record staff attendance at training to ensure all staff complete the training on a regular basis.

Systems for handling privacy inquiries and complaints

3.36 APP 1.2 requires APP entities to ensure they have practices, procedures and systems in place to enable the entity to deal with privacy related inquiries or complaints from individuals about the entity’s compliance with the APPs.

3.37 During the assessment fieldwork Chamonix demonstrated that it has in place practices, procedures and systems that enable it to deal with privacy inquiries or complaints from individuals about the Healthi app and Chamonix’s compliance with the APPs (the same process used for data breaches), including:

  • a web form and dedicated email address on the Healthi app website for customers who need help using the Healthi app, wish to provide feedback or who want to make a privacy complaint, query or report a privacy incident or possible breach
  • a phone contact to follow up more complicated matters with the Healthi app customers
  • documented plan for managing privacy breaches, inquiries and complaints (discussed earlier)
  • a ticketing system and service desk support function for managing customer issues including privacy issues such as breaches, complaints and queries.

3.32 The service desk team who manage the ticketing system along with the HIPS team are the only staff who can access the data held within a ticket – approximately 10 staff members in total. If a ticket contains personal information, for example a user in making a complaint provides Chamonix with personal information which is unnecessary for the purposes of their complaint, Chamonix advised the OAIC that it will treat such a situation as if it were a privacy breach thereby triggering their data breach response plan. This includes

  • deleting the personal information (only retaining details relevant to resolving the complaint
  • notifying the state manage
  • informing the individual who provided the information.

3.38 All privacy inquiries and complaints are triaged based on urgency. Chamonix advised that they have not received any complaints from the public regarding the Healthi app although they have received few inquiries since the Healthi app’s launch in 2016 in relation to what Chamonix does with personal information processed by the Healthi app. Chamonix is not required to inform ADHA of any complaints it receives regarding the Healthi app though Chamonix advised it would inform ADHA if this were to happen.

3.39 Given the strong safeguards imposed by the Australian Parliament in respect of MHR Data, the OAIC considers that any privacy incident, whether directly or indirectly related to the MHR System should be reported to the System Operator, the AHDA, because such incidents are likely to affect public trust in the MHR System, and may cause indirect harm to its users.

3.40 Chamonix advised the OAIC that its communication channels with ADHA are effective, that they have an established relationship with ADHA that is broader than the Healthi app (Chamonix has been contracted by ADHA to develop MHR integration software [17]) and therefore Chamonix stated that they are comfortable that they can receive clarification from ADHA on privacy issues related to the Healthi app, if required. Further, Chamonix noted that it has regular interactions with the ADHA via:

  • regular emails - Chamonix is on a mailing list for software developers who are contacted regarding any MHR system changes and outages reported from members of the public who have trouble accessing the MHR system
  • a committee that meets every two months to discuss issues broader than the Healthi app and is concerned with MHR system improvements of the MHR mobile gateway.

3.41 The OAIC observed that Chamonix does not have formalized or documented procedure for referring or reporting inquiries, complaints or incidents to the ADHA when required, for example under its data breach response plan. There was an indication from Chamonix that reporting or referring matters to the ADHA was conducted in an ad hoc fashion. The OAIC suggests that Chamonix review its data breach response plan, which is also used for managing privacy inquiries and complaints, to amend the plan to include procedures for referring privacy inquiries, complaints, or incidents to the ADHA when required.

APP 5 - Notification of collection of personal information

APP 5.1 – Reasonable steps to provide notice of collection

3.42 APP 5.1 requires an entity to take reasonable steps either to notify an individual of certain matters (‘APP 5 matters’ - discussed separately below) or to ensure the individual is aware of those matters. Reasonable steps must be taken at or before the time of collection, or as soon as practicable afterwards.

3.43 The OAIC observed that Chamonix took a number of steps to inform the users of the Healthi app of the collection of their personal information, including:

  • privacy policy and a security policy on the Healthi app website which set out how Chamonix and the Healthi app collects, uses, discloses and protects MHR data
  • links within the Healthi app, at points when an individual makes a decision, to the privacy policy and security policy
  • information in the form of frequently asked questions (FAQs) within the Healthi app which are presented to the individual before they consent to the collection of personal information and serves as the primary collection notice for the Healthi app. Similar FAQ statements can also be found on the Healthi app website [18].

3.44 The OAIC did not observe a collection notice when information is collected via the Healthi app website’s webform or via email, nor was Chamonix able to verify whether a collection notice is verbally given to users of the Healthi app who communicate with Chamonix over the phone. This raises the medium risk that users of the Healthi app who provide personal information to Chamonix via the webform or over the phone may not fully understand how Chamonix will handle their personal information.

3.45 The webform does not include a warning to customers that they should not provide any unnecessary personal information for the purposes of the enquiry, for example sensitive information such as their Individual Healthcare Identifier (IHI) or specific health information from their MHR.

3.46 Chamonix should include a collection notice on the Healthi app website for instances where personal information is collected via the Healthi app webform or via email. A brief collection notice should also be verbally provided to consumers if any personal information is collected over the phone via the contact number on the Healthi app website.

3.47 As part of the collection notice Chamonix should consider adding to the webform on the Healthi app website a warning to customers that they should not disclose any unnecessary personal information or sensitive information when filling out the web form, for example their sensitive information such as IHI or specific health information from their MHR.

3.48 The OAIC also recommends that Chamonix consider measures which limit or remove the ability for users to include unnecessary personal information via the webform for example by utilizing fields with drop down menus or only allowing consumers to enter specific types of information such as name, phone number and/or email address.

Recommendation 3

Chamonix should:

  • include an APP 5 collection notice on the Healthi website for instances where personal information is collected via the Healthi app webform or via email. A brief collection notice should also be verbally provided to consumers if any personal information is collected over the phone via the contact number on the Healthi app website
  • consider adding to the webform on the Healthi app website a warning to customers that they should not disclose any unnecessary personal information for the purposes of the enquiry when filling out the web form, for example their sensitive information such as their IHI or specific health information from their MHR
  • consider measures which limit or remove the ability for users to include unnecessary personal information via the webform for example by utilizing fields with drop down menus or only allowing consumers to enter specific types of information such as name, phone number and/or email address.

APP 5.2 – Content of notices of collection (APP 5 matters)

3.49 APP 5.2 lists the APP 5 matters that must be notified to an individual or of which they must be made aware. The APP 5 matters include:

  • the APP entity’s identity and contact details
  • the fact and circumstances of collection of personal information
  • whether the collection of personal information is required or authorised by law
  • the purposes of collection of personal information
  • the consequences if personal information is not collected
  • how the entity usually discloses personal information of the kind collected by the entity
  • information about the entity’s APP Privacy Policy
  • whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.

3.50 To examine the effectiveness of collection notices within the Healthi app (in-app notices), the OAIC interviewed key development staff and undertook a product demonstration of the app’s set-up process.

3.51 The FAQ style APP 5 notice of collection within the Healthi app (discussed earlier) addresses most of the APP 5 matters set out under APP 5.2. However, the OAIC identified the following APP 5 matters that were not included in the notice which represents a medium risk that Chamonix is not fully complying with its APP 5 obligations:

  • whether the collection is required or authorised by law required (APP 5.2(c)) – the notice does not contain a direct reference to the relevant Australian law that authorises the collection by the Healthi app. Instead, the notice only includes a statement that the app is compliant with Australian privacy laws. If it is not reasonable to name the particular law relied upon (e.g. if there are multiple laws) the more practical option may be to include a generic description of the laws under which personal information is collected (e.g. My Health Record legislation)
  • the privacy policy contains information about how the individual may access and seek correction of their personal information held by Chamonix, complain to Chamonix about a breach of the APPs and how Chamonix will deal with such a complaint (APP 5.2(g) and (h)). Noting that the compliance requirements of Chamonix’s privacy policy under APP 1.4 are outside the scope of this assessment, a brief analysis indicates that this information may not be included in the privacy policy but is published elsewhere on the Healthi app website. Chamonix should review the privacy policy to ensure compliance with APP 5.2 (g) and (h)
  • whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located (APP 5.2(i) and (j)). Even though it may be implied through its statement within the notice that the Healthi app will not share any health information, the OAIC recommends that the FAQs clearly note that the Healthi app will not disclose personal information to overseas recipients to ensure compliance with APP 5.2(i) and (j).

3.52 The OAIC recommends that Chamonix review the in-app FAQ style APP 5 notice of collection notice to ensure that it covers all APP 5 matters stated in APP 5.2, in particular:

  • whether collection of personal information is required or authorised by law
  • overseas disclosure of personal information
  • Healthi app’s privacy policy containing information related to the access and correction of personal information and management of complaints.

3.53 The OAIC suggests that Chamonix could include an additional text in the Healthi app FAQ notice, explaining that information within the MHR is managed by ADHA and providing a link to the relevant ADHA page on access and correction of personal information.

3.54 There is no mechanism within the Healthi app to notify consumers of changes to the underlying MHR system and the MHR components of the Healthi app. Where users rely on the Healthi app as their sole source of access to the MHR system, it is reasonably foreseeable that they may miss notifications regarding changes to the collection, use or disclosure of their MHR information by the ADHA. The OAIC suggests Chamonix could consult the ADHA as to the best way to notify customers of changes to the MHR system and the MHR components of the Healthi app, for example whether such notifications could be included in app pages controlled by Chamonix, Services Australia (myGov sign in page) or ADHA (MHR system).

Recommendation 4

Chamonix should review the Healthi in-app FAQ style APP 5 collection notice to ensure that it covers all APP 5 matters stated in APP 5.2, in particular:

  • whether collection of personal information is required or authorised by law
  • clarification regarding the overseas disclosure of personal information
  • the Healthi app’s privacy policy containing information related to the access and correction of personal information and management of complaints.

Part 4: Recommendations and responses

Recommendation 1

OAIC recommendation

4.1 The OAIC recommends that Chamonix should:

  • regularly evaluate its internal policies and procedures relevant to the Healthi app to ensure their adequacy and currency and implement a process for updating these policies and procedures in a manner that suitable for the organisation and in consideration of its obligations under APP 1.2.
  • regularly review and test its data breach response plan to ensure it is up to date and that Chamonix staff know what actions they are expected to take. Chamonix could test its procedures by, for example, responding to a hypothetical data breach and reviewing how its response could be made more effective and then update the plan accordingly
  • develop and implement a PMP.

Response by Chamonix to the recommendation

4.2 Agreed. Chamonix will implement regular reviews of our policies and procedures in addition to testing our breach response plan. A PMP will be implemented.

Recommendation 2

OAIC recommendation

4.3 The OAIC recommends that Chamonix should Implement regular and mandatory privacy refresher training for all staff. This training should include short-term staff and contractors. Such training should cover privacy obligations for staff under the APPs, MHR legislation and under Chamonix’s data breach response plan. Chamonix should also record staff attendance at training to ensure all staff complete the training on a regular basis.

Response by Chamonix to the recommendation

4.4 Agreed. Training has been implemented at employee induction and will be refreshed regularly.

Recommendation 3

OAIC recommendation

4.5 The OAIC recommends that Chamonix should:

  • include an APP 5 collection notice on the Healthi website for instances where personal information is collected via the Healthi webform or via email. A brief collection notice should also be verbally provided to consumers if any information is collected over the phone via the contact number on the Healthi website
  • consider adding to the webform on the Healthi app website a warning to customers that they should not disclose any unnecessary personal information for the purposes of the enquiry when filling out the web form, for example their sensitive information such as their IHI or specific health information from their MHR
  • consider measures which limit or remove the ability for users to include unnecessary personal information via the webform for example by utilizing fields with drop down menus or only allowing consumers to enter specific types of information such as name, phone number, email address.

Response by Chamonix to the recommendation

4.6 Agreed. Chamonix will take these steps to minimise the possibility of users inadvertently providing personal information.

Recommendation 4

OAIC recommendation

4.7 The OAIC recommends that Chamonix should review the Healthi in-app FAQ style APP 5 collection notice to ensure that it covers all APP 5 matters stated in APP 5.2, in particular:

  • whether collection of personal information is required or authorised by law
  • clarification regarding the overseas disclosure of personal information
  • the Healthi app’s privacy policy containing information related to the access and correction of personal information and management of complaints.

Response by Chamonix to the recommendation

4.8 Agreed.

Part 5: Description of assessment

Role of the OAIC

5.1 The OAIC oversees the privacy aspects of the MHR system, including:

  • investigating the mishandling of health information in an individual’s MHR
  • giving privacy guidance to users of the MHR system
  • accepting and assessing data breach notifications in relation to MHR data
  • conducting privacy assessments.

5.2 The OAIC provides independent privacy assessment services to the System Operator, the ADHA in accordance with the ADHA MoUwhich requires the OAIC to conduct assessments during the period covered by that MoU in relation to the MHR System or the HI Service.

Objective and scope of the assessment

5.3 This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the APPs.

5.4 The objective of this assessment is to determine whether Chamonix is handling personal information of registered healthcare recipients in accordance with APPs 1.2 and 5. Specifically, the assessment will include consideration of whether Chamonix:

  • is taking reasonable steps in accordance with APP 1.2 to implement practices, procedures and systems that will ensure compliance with the APPs
  • is taking reasonable steps to notify individuals of the collection of personal information in accordance with APP 5.1
  • has privacy notices that address the matters listed in APP 5.2.

5.5 The scope of the assessment is limited to steps taken by Chamonix to comply with APPs 1.2 and 5, when handling the personal information (including MHR information) of registered healthcare recipients as an RPO as defined by MHR Act.

Privacy risks

5.6 Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance (Appendix A refers), the OAIC makes recommendations to Chamonix about how to address those risks. These recommendations are set out in Part 4 of this report.

5.7 The OAIC assessments are conducted as a ‘point in time’ assessment; that is, our observations and opinion are only applicable to the time period in which the assessment was undertaken.

5.8 For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’. Chapter 7 of the OAIC’s Guide to privacy regulatory action provides further detail on this approach.

Timing, location and assessment techniques

5.9 The OAIC conducted a risk-based assessment of Chamonix’s handling of personal information (including MHR information) of registered healthcare recipients in its relation to the APPs.

5.10 The assessment involved the following:

  • review of relevant policies and procedures provided by Chamonix
  • in light of travel restrictions relating to the COVID-19 pandemic, fieldwork, which included virtual interviews of key members of staff through videoconferencing platforms on 21, 23, 26 and 27 October 2020

Reporting

5.11 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.

Assumptions and Caveats

5.12 The OAIC reviewed the Healthi privacy policy against the requirements of APP 5. Assessors did not consider the privacy policy against the requirements of APP 1.3-1.6 as this is outside the scope of this privacy assessment.

5.13 Readers must not take this report as an endorsement of the Healthi app by the OAIC, or any other Chamonix product or service.

5.14 APP 1.2 requires that APP entities have processes, procedures and systems in place to ensure compliance with the APPs. This privacy assessment considered whether processes, procedures and systems are in place – it did not examine the compliance of Chamonix with any specific APPs except APPs 1.2 and 5.

Appendix A: Privacy risk guidance

Privacy risk rating Entity action required Likely outcome if risk is not addressed

High risk.

Entity must, as a high priority, take steps to address mandatory requirements of privacy regulation.

Immediate management attention is required.

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects.

  • Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking)
  • Likely adverse or negative impact upon the handling of individuals' personal information
  • Likely violation of entity policies or procedures
  • Likely reputational damage to the entity, such as negative publicity in national or international media
  • Likely adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
  • Likely ministerial involvement or censure (for agencies).

Medium risk.

Entity should, as a medium priority, take steps to address office expectations around requirements of privacy regulation.

Timely management attention is expected.

This is an internal control or risk management issue that may lead to the following effects.

  • Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation
  • Possible adverse or negative impact upon the handling of individuals' personal information
  • Possible violation of entity policies or procedures
  • Possible reputational damage to the entity, such as negative publicity in local or regional media
  • Possible adverse regulatory impacts,\ such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities
  • Possible ministerial involvement or censure (for agencies).

Low risk.

Entity could, as a lower priority for high and medium risks, take steps to better address compliance with requirements of privacy regulation.

Management attention is suggested.

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality an/or efficiency of the entity or process being assessed

  • Risks are limited, and may be within acceptable entity risk tolerance levels
  • Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit)
  • Minimum compliance obligations are being met.

Footnotes

[1] Section 5 of the My Health Records Act 2012 (Cth) (MHR Act), defines a ‘participant in the My Health Record System’ as:

a) the System Operator
b) a registered healthcare provider organisation
c) the operator of the National Repositories Services
d) a registered repository operator
e) a registered portal operator
f) a registered contracted services provider, so far as the contracted service provider provides services to a registered healthcare provider.

[2] Section 5 of the My Health Records Act 2012 (Cth) (MHR Act), defines a ‘participant in the My Health Record System’ as:

MyGov is an online digital identity service operated by Services Australia, which provides users with access to select Australian Government online services.

[3] See https://www.myhealthrecord.gov.au/glossary/ (accessed 17 February 2021)

[4] Mobile gateway is an industry term for the software or hardware that provides the secure communication between a mobile application and a network (such as the MHR system).

[5] See https://chamonix.com.au/ (accessed 15 December 2020).

[6] The Privacy Act covers private sector organisations with an annual turnover more than $3 million, subject to some exceptions.

[7] My Health Record was previously known as a Personally Controlled Electronic Health Record (PCEHR) or eHealth record.

[8] All apps accessing the MHR system must inform users that they will need a myGov account (my.gov.au) and an MHR that is linked to their myGov account.

[9] See https://support.yourhealthi.com.au/index.php (accessed 15 December 2020).

[10] See https://yourhealthi.com.au/privacy.html (accessed 15 December 2020).

[11] See https://yourhealthi.com.au/security.html (accessed 15 December 2020).

[14] APP 1.4(d) and (e)

[16] A privacy impact assessment (PIA) is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. APP 1 requires APP entities to take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs and enable them to deal with enquiries or complaints about privacy compliance. In this way, the APPs require ‘privacy by design’, an approach whereby privacy compliance is designed into projects dealing with personal information right from the start, rather than being bolted on afterwards. Conducting PIAs helps entities to ensure privacy compliance and identify better practice.

[17] (Chamonix was awarded an $8 million contract with ADHA in 2019 to develop MHR integration software used by hospitals and private diagnostic providers to connect to the MHR infrastructure see: https://www.crn.com.au/news/adelaide-it-services-provider-chamonix-lands-8-million-govt-healthcare-software-deal-527822 (accessed 11 January 2021).

[18] See https://yourhealthi.com.au/help.html (accessed 15 December 2020).